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Detailed Action 

1 . This action is responsive to communication: amendment filed on 
21 July 2005, the original application was filed on 8 January 2001. 

2. Due to amendment claims 1-15, 18-26, and 28-35 are currently pending in this 
application. Claims 1, 8, 13, 18, 23, 24, 29, 32, and 34 are independent claims. Claims 16, 17, 
and 27 have been canceled. Claims 1, 8, 18, 23, 24, 28, and 29, have been amended. The 
amendment to the claims is accepted. 

Response to Arguments 
3;' Applicant's arguments filed on 21 July 2005 have been fijlly considered but they are not 
persuasive. 

In response to applicant's argument on pages 16-21, "Request to Withdraw Finality". 
The Office disagrees the modifications to the claims raises new issues and a new search would 
be required. In addition a request for removal of the finality of rejection is unwarranted because 
the action mailed 24 January 2005, rejected the claims proposed at that time. The appUcant 
argues the grouping of the claims but fails to argue what text in grouped claims is not accounted 
for in the reference. In addition as noted below as well in conversation with Kasey C. Chrisitie 
at '(509) 324-9256 attorney of record on 15 October 2005, the claims as written are unclear and 
contain numerous 112, second paragraph errors. 

In response to applicant's argument pertaining to claims 1-12, and 18-31 in which the 
independent claim were amended, these arguments are moot due to new grounds for rejection. 

In response to applicant's argument beginning on page 44, 'Olden does not disclose 
receiving a CredUl-prompfor-credentials call having a set of parameters comprising a 
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TargetName, Context, AuthFlags, and Flags ... It appears to the Applicant that the Office is 
combining two or extrapolated and generalized conclusions about Olden and equating it to a very 
specific and explicit recitation in the claim language". The Office disagrees, the claims as 
written do not make the claim invention any different from receiving an authorization request 
and returning the credential associated with a specific resource. This is shown in Olden 
throughout as well as in the previous Office Actions and below. The Examiner notes that the 
applicant is uses the following terms "parsing" and "persisting" in the claims. These terms are 
not defined or used anywhere in the specification. 

In response to applicant's argument beginning on page 47, "Furthermore, Applicant 
submits that Olden does not disclose the all of the steps of this method (parsing a call; obtaining 
a credential; associating; and persisting) . . , Rather, the Office notes that that Olden disclosed 
"database processing" and that it must necessarily perform the tasks as recited in this claim". 
The Office disagrees, the processing that takes place in Olden offers the same detail appUcant is 
claiming matching a credential to a user and a resource and returning the appropriate credential 
requested by a resource. This is shown in Olden throughout as well as in the previous Office 
Actions and below. 

Claim Rejections -35 USC § 112 
4. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 
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5. Claims 1-12, 24-26, 28, and 29-31 are rejected under 35 U.S.C, 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

6. Claims 1, 8, 24, and 29, are indefinite because the text in the claims it is unclear what 
credential is being referred to and what steps are taking place. For example in claim 1, the 
second and third bullet "obtaining a request for a high-level credential" and "marshalling the 
requested high-level credential"; the words "high-level" are indefinite. In the second bullet the 
legacy application is making the request, it would seem more likely that the legacy application 
would be requesting a low-level credential, such as user name and password. Furthermore in the 
second bullet it would make more sense to either delete the phrase "high-level", however the step 
of converting the high-level credential to a "low-level" credential appears to be nothing more 
than matching the user ED in a database and determining the appropriate credential for the 
resource or service. In claims 8 and 24, the steps appear to be out of order and perhaps missing 
some steps. The third bullet "retrieving the requested credential from a database" how can this 
be performed if the computing environment only has provision for low-level credentials and a 
high-level credential is requested. In claim 29, the steps appear to be out of order and perhaps 
missing some steps, how could a user be authenticating to a network if the system is returning 
low-level formatted credentials to a system that is requesting high-level credentials. 

7. To expedite a complete examination of the instant application the claims rejected under 
35 U.S.C. 1 12 above are further rejected as set forth below in anticipation of applicant amending 
these claims to place them within the statutory categories of the invention. 
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Claim Rejections - 35 USC §102 

8. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United Stiites before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by iinothcr (lied in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language 

9. Claims 13-15 and 32-35 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Olden U.S. Patent No. 6,460,141 (hereinafter '141). 

As to independent claim 13, "A method for authenticating a user to a network, the 
method comprising: obtaining a request for a credential to authenticate the user to access a 
resource within the network, wherein the resource requires an appropriate credential 
before the user may access the resource; locating the appropriate credential; returning the 
appropriate credential to the resource within the network, so that the resource allows the 
user to access such resource; wherein the obtaining, locating, and returning are performed 
without user interaction so that the user need not be aware that such steps are being 
performed" is taught in '141 col. 25, Unes 29-39. 

As to dependent claim 14, "further comprising repeating the obtaining, locating, 
and returning for a different network that is authenticated using a different credential" is 
taught in ' 141 col. 23, line 55-67 and col. 25 lines 5-20. 

As to dependent claim 15, this claim is directed to a computer-readable medium of the 
method of claim 13 and is rejected along the same rationale. 
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As to independent claim 32, "An application programming interface (API) method 
comprising*' is taught in '141 col. 3, lines 39-61; 

"receiving a CredUl-promptfor-credentials call having a set of parameters 
comprising a TargetName, Context, AuthFlags, and Flags; parsing the call to retrieve the 
parameters to determine a specified resource; obtaining a credential; associating the 
credential with the specified resource; persisting the credential into a database while 
maintaining the credential's association with the specified resource" is shown in '141 col 9, 
line 27 through col. 10, line 36. 

As to dependent claim 33, "wherein the set of parameters further comprises an 
indicator of a data structure containing customized information to display in conjunction 
with a user interface" is disclosed in '141 col. 10, 32-39. 

As to independent claim 34, "An application programming interface (A,PI) method 
comprising: receiving a CredUl-promptfor-credentials call having a set of parameters 
comprising a TargetName, UserName, Password, and Flags; parsing the call to retrieve 
the parameters to determine a requesting application" is taught in '141 col. 9, lines 27-45; 

"obtaining a low-level credential from a user, wherein such credential includes a 
username and a password; returning the low-level credential to the requesting 
application" is shown in '141 col. 7, lines 26-41. 

As to dependent claim 35, "wherein the set of parameters further comprises an 
indicator of a data structure containing customized information to display in conjunction 
with a user interface" is disclosed in '141 col. 10, lines 17-39. 
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10. Claims 18-19, 21, and 22 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Stoltz et al. U.S. Patent No. 6,615,264, (hereinafter '264). 

As to independent claim 18, "A credential management architecture, comprising: a 
trusted computing base (TCB) that has 111 access to persisted credentials, the TCB being 
configured to interact with an entrusted computing layer (UTCL) that accesses the 
persisted credentials via the TCB" is shown in '264 col. 5, lines 56-64 and col. 7, lines 19-23; 

''the TCB comprises: a credential management module configured to receive 
requests from the UTCL for a high level credential for a resource, the high level credential 
being associated with a user and not being username-and-password based authorization" is 
disclosed in '264 col. 8, lines 57-65; 

"a credential database associated with the user, wherein credentials are persisted 
witliin the database; the credential management module being configured to retrieve 
credentials from the database" is taught in '264 col. 9, lines 35-37. 

As to dependent claim 19, "architecture as recited claim wherein credential 
management module is further configured to marshal a requested high-level credential and 
return the marshaled credential to the UTCL" is disclosed in '848 coL 4, line 16-34. 

As to dependent claim 21, "A computer-readable medium having computer- 
executable instructions that, when executed by a computer, employ an architecture as 
recited in claim 18" is shown in '264 col. 4, lines 16-22. 

As to dependent claim 22, "An operating system embodied on a computer-readable 
medium having computer-executable instructions that, when executed by a computer, 
employ an architecture as recited in claim 18" is disclosed in '264 col. 5, lines 51-55. 
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Claim Rejections - 35 USC §103 
1 I . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A ptitenl may not be obtained tliough the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that tlie subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

1 2. Claims 1-12, 20-26, and 28-31 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Stoltz et al. U.S. Patent No. 6,615,264, (hereinafter '264) in further view of King et al. U.S. 
Patent No. 6,934,848, (hereinafter '848). 

As to independent claim 1, "A method for accommodating a legacy application, the 
legacy application having provisions for a low-level credential authorization model which 
employs username-and-password based authorization, the method comprising:'' is taught in 
'264 col. 7, line 41 through col, 8, line 6 "FIG. 2 illustrates authentication and session 
management components and their interactions according to an embodiment of the invention. 
Network terminal 202 is a human interface device (HID) (e.g., HIDs 821, 822 and 823). An HID 
has, as examples of its functions, the task of displaying output of services to a user and obtaining 
input to services from the user. Network terminal 202 has the ability to respond to a command 
(e.g., display command) received from, for example, a software program (e.g., services 230-238, 
authentication manager 204 and session manager 206) executing on a computational service 
provider (e.g., computers 710, 711, 712, 713, and 714). The input received from a user is 
forwarded to, for example, a service that is fiilfilling a user request. More than one server can 
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execute the services that comprise a session. For example, in session 208, service 230 is 
executing on server 210, services 232 and 234 are executing on server 212 and services 23i5 and 
238 are executing on server 214. A user may access a system (e.g., a server, a session, a service 
and a network terminal) by initiating a login or other authentication mechanism (e.g., smart card, 
biometric data, etc.). A separate authentication module 240 may be utilized for each 
authentication mechanism. During login, the user is validated by an authentication module 240. 
The authentication modules 240 communicate with authentication manager 240 v^here a user 
may be associated with a particular session"; 

''obtaining a request for a high-level credential from a legacy application^ wherein a 
high-level credential authorization model does not employ username-and-password based 
authorization" is shown in '264 col. 8, Unes 57-65 "Authentication modules 240 each have the 
option of accepting or declining responsibility for a particular connection. Authentication 
modules 240 may base their decision on other available system resources or settings (e.g., from 
services 230-238, external databases, etc.). In one or more embodiments, an authentication 
module 240 can be configured to accept all users all of the time, to only accept connections with 
smart cards, or to only accept users with pseudo tokens, for example"; 
the following is not taught in '264 ^marshalling the requested high-level credential, the 
marshalling is characterized by converting a description of the high-level credential into a 
format recognizable as a low-level credential by the legacy application employing a low - 
level credential authorization mode; returning the marshaled credential to the legacy 
application" however '848 teaches "Processing the first sign-on fijrther comprises: establishing 
the secure session from a client machine to a server machine using the digital certificate, wherein 
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the digital certificate represents an identity of the client machine or a user thereof; storing the 
digital certificate or a reference thereto at the server machine; establishing a session from the 
server machine to a host system using a legacy host communication protocol; passing the stored 
digital certificate or the reference from the server machine to a host access security system; 
authenticating, by the host access security system, the identity using the passed digital certificate 
or a retrieved certificate which is retrieved using the reference; using the passed or retrieved 
digital certificate to locate access credentials for the user; accessing a stored password or 
generating a password substitute representing the located credentials; and using the stored 
password or the generated password substitute to transparently complete the first sign-on to a 
secure legacy host application executing at the host system" in col. 4, lines 16-34. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify a security and access management method taught in '264 to include an authentication 
means that accommodates legacy applications. One of ordinary skill in the art would have been 
motivated to perform such a modification because there are instances in a SSO application that 
different security credentials are required by a user see '848 (col. 3, Hnes 17 et seq.). 
"Furthermore, there may be cases where it would be desirable to provide different sign-on 
credentials during a secure host access session, following the initial sign-on. As an example, it 
may be necessary for the current legacy host application user's supervisor to sign on to the legacy 
application, such as when a special transaction requiring supervisory authority is to be 
performed. Or, it may happen that different security credentials are required for a user when he 
wishes to change from one legacy host application to another. As another example, there may be 
applications for which it is necessary or desirable to force the user to re-authenticate himself by 
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providing his security credentials again (for example, by swiping his Smart Card through a Smart 
Card reader) at defined points, such as when a new application transaction begins. Because 
establishing a secure connection between the client and the TN3270 server or Web application 
server using a security protocol such as SSL is relatively expensive in terms of computation and 
networking resources, the performance overhead incurred in re-starting the session in order to 
supply a different certificate that signifies different user credentials makes this a less-than- 
optimat solution. Thus, a technique is needed which enables changing the user's credentials 
within the scope of an on-going secure session. Neither the prior art nor the related invention 
provide this capability". 

As to dependent claim 2, "further comprising, after the obtaining, seeking the 
requested credential in a database of credentials" is taught in '264 col, 9, lines 35-37 
"Authentication module 240 verifies the challenge response with user information retained in 
authentication database 218, for example, information supplied by the user and information that 
is generated during authentication". 

As to dependent claim 3, "wherein a high-level credential is a credential selected 
from a group composed of X.509 Certificates and bio-metrics" is shown in '264 col. 7, 
lijies 61-65. 

As to dependent claim 4 "wherein the marshaled credentials appear to be a 
conventional username/password pair to the legacy application" is disclosed in '848 col. 4, 
lines 16-34. 

As to dependent claim 5, "wherein marshalling comprises: obtaining the requested 
high-level credential; pickling the requested high-level credential to generate a low-level 
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credential that represents the requested high-level credential while appearing to be a 
conventional username/password pair to the legacy application" is taught in '848 in col. 4, 
lines 16-34. 

As to dependent claim 6, "A method as recited in claim 1, wherein the legacy 
application never has access to the high-level credential" is shown in '848 col. 18 line 60 
through col. 19, line 8 "which then makes it more difficult for a security exposure to extend 
beyond the scope of a single host application. As will be obvious to one of skill in the art, the 
server determines whether the legitimate certificate holder sent the subsequent sign-on by using 
the public key 374 from the transmitted certificate to decrypt the AUTHINFO parameter value. 
Upon decrypting the value, the server compares the concatenated information to the server's 
copy of the random seed and sequence number, and to the application ID sent on the APPLID 
parameter. ,In this manner, the server can authenticate the changed credentials during the on- 
going session in a manner that is transparent to the legacy host application". 

As to dependent claim 7, "A computer-readable medium having computer- 
executable instructions that, when executed by a computer, perform a method as recited in 
claim 1" is taught in '264 col. 4, lines 16-23 "An embodiment of the invention can be 
implemented as computer software in the form of computer readable code executed on a general 
purpose computer such as computer 100 illustrated in FIG. 1". 

As to independent claim 8, "In a computing environment where processes have a 
provision for low-level credentials but have no provision for high-level credentials, wherein 
a provision for k)w-level credentials employs username-and-passvvord based authorization 
while a provision for high-level credentials does not employ username-and-password based 
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authorization, a method for accommodating such processes comprising:" is taught in '264 
col. 7, lines 4] through col. 8, Une 6; 

"obtaining a request for a credential from a process, wherein the requested 
ci edential is a high-level credential, which is not username-and-password based; is shown 
in '264 col. 8, lines 57-65; 

"retrieving the requested credential from a database" is disclosed in '264 col, 9, 
lines 35-37; 

"converting the requested high-level credential into a format approximating a low- 
level credential and representative of the requested high-level credential; returning the 
converted credential to the process" is taught in '848 col. 4, lines 16-34. 

As to dependent claim 9, "wherein a high-level credential is a credential selected 
from a group composed of X,509 Certificates and bio-metrics" is taught in '264 col. 7, 
lines 61-65. 

As to dependent claim 10, "wherein the converted credentials appear to be a 
conventional username/password pair to the process" is shown '264 col 7, Hnes 61-65. 

As to dependent claim 11, "wherein the process never has access to the high-level 
credential" is disclosed in 848 col. 18, line 60 through col. 19, line 8 

As to dependent claim 12, "A computer-readable medium having computer- 
executable instructions that, when executed by a computer, perform a method as recited in 
claim 8" is taught in '264 col. 4, lines 16-23. 
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As to dependent claim 20, An architecture as recited in claim 18, wherein the 
marshaled credentials appear to be a conventional username/password pair to the UTCL" 
is taught in '848 col. 4, lines 16-34. 

As to independent claim 23, "An apparatus comprising: a processor; a marshaler 
executable on the processor to: obtain a high-level credential wherein a high-level 
credential is employed in an authorization model which is not username-and-password 
based authorization" is shown in '264 col. 8, lines 57-65; 

"convert the high-level credential to generate a representation of the high-level 
credential that is formatted as a low-level credential so that it appears to be a conventional 
username/password pair" is disclosed in '848 col. 4, lines 16-34. 

As to independent claim 24, "A low-level-credential-application accommodation 
system comprising:" is taught in '264 col. 7, line 41 through col. 8, line 6; 

"a request obtainer configured to obtain a request for a high-level credential from a 
low-level-credential-application, wherein low-level credentials utilizes username-and- 
password based authorization while high-credentials utilizes username-and-password 
based authorization while high-level credentials do not employ username-and-password 
based authorization" is shown in '264 col. 8, lines 57-65; 

"a credential retriever configured to retrieve the requested credential from a 
* database of credentials" is disclosed in '264 col. 9, lines 35-37; 

"a marshaller configured to marshal the requested credential and return the 
marshaled credential to the low-level-credential-application, the marshalling performed by 
the marshaller is characterized by converting a description of the high-level credential- 
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application employing a low-level credential authorization model'' is taught in '848 col. 4, 
lines 16-34. 

As to dependent claim 25, "wherein a high-level credential is a credential selected 
from a group composed of X.509 Certificates and bio-metrics" is shown in '264 col. 7, 
lijies 61-65. 

As to dependent claim 26, "wherein the marshaled credentials appear to be a 
conventional username/password pair to the legacy application" is disclosed in '848 col. 4, 
lijies 16-34. 

As to dependent claim 28, "wherein the low-level-credential-application never has 
access to the high-level credential" is taught in '848 col. 18 line 60 through col. 19, line 8 

As to independent claim 29, "A system for authenticating a user to a network, the 
system comprising:" is shown in '264 col. 7, lines 6-25 "The computer systems described above 
are for purposes of example only"; 

"a request obtainer configured to obtain a request for a high level credential to 
authenticate the user to access a resource within the network wherein the resource requires 
an appropriate credential before the user may access the resource, wherein ahigh-level 
credential do not utilize username-and-password based for high-level credential 
authorization" is disclosed in '264 col. 8, lines 57-65; 

"a credential retriever configured to retrieve the appropriate high-level credential 
from a database of credentials" is taught in '264 col. 9, lines 35-37; 

"a credential marshaller configured to generate a representation of the high-level 
credential that is formatted as a low-level credential so that it appears to be a conventional 
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username/password pair, wherein a low-level credential utilizes username-and-password 
based authorization; a credential returner configured to return the marshaled credential to 
the resource within the network, so that the resource allows the user to access such 

resource" is shown in '848 col. 4, lines 16-34; 

"wherein the obtainer, retriever, marshaller and returner are further configured to 
operate without user interaction'' is disclosed in '848 col. 3, lines 51-53 "Another object of the 
present invention is to provide this technique in a manner that does not require the user to re- 
identify himself. 

As to dependent claim 30, "An operating system comprising a system as recited in 
claim 29" is taught in '264 col. 5, lines 51-55. 

As to dependent claim 31, "A network environment comprising a system as recited 
in claim 29" is shown in '264 col. 5, lines 56-64. 

Conclusion 

1 3, Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 
(571) 272-3842. The examiner can normally be reached from 6:30 am to 3:30 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Gregory A Morse can be reached on (571) 272-3838. The fax phone number for the 
organisation where this application or proceeding is assigned is (571) 273-8300. 
Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be 
obtained from either Private PAIR or Public PAIR. Status information for unpublished 
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applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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